0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250

General

Target

0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe
Size

2.0MB
MD5

bbb5ac24fff7f744f85c92080b9b3648
SHA1

bb74591747b1936d966119c12da21c8836659e0b
SHA256

0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250
SHA512

b409772bc32dea1d676f3dcca18cdb62fa364c5f32e671ac39c351eed95cca97dbdcfab1fad76cc869af2c4430a1ff18a1c13e792713b9f05424d4a56b889ee3

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe

pid process

1240 0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe

Suspicious behavior: MapViewOfSection 20 IoCs

Processes:

0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe

pid	process
1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe
1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe
1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe
1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe
1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe
1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe
1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe
1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe
1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe
1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe
1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe
1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe
1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe
1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe
1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe
1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe
1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe
1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe
1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe
1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe

description pid process

Token: SeDebugPrivilege 1240 0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe

description	pid	process
Token: SeDebugPrivilege	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe

description	pid	process	target process
PID 1240 wrote to memory of 368	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	wininit.exe
PID 1240 wrote to memory of 368	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	wininit.exe
PID 1240 wrote to memory of 368	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	wininit.exe
PID 1240 wrote to memory of 368	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	wininit.exe
PID 1240 wrote to memory of 368	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	wininit.exe
PID 1240 wrote to memory of 368	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	wininit.exe
PID 1240 wrote to memory of 368	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	wininit.exe
PID 1240 wrote to memory of 380	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	csrss.exe
PID 1240 wrote to memory of 380	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	csrss.exe
PID 1240 wrote to memory of 380	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	csrss.exe
PID 1240 wrote to memory of 380	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	csrss.exe
PID 1240 wrote to memory of 380	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	csrss.exe
PID 1240 wrote to memory of 380	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	csrss.exe
PID 1240 wrote to memory of 380	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	csrss.exe
PID 1240 wrote to memory of 416	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	winlogon.exe
PID 1240 wrote to memory of 416	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	winlogon.exe
PID 1240 wrote to memory of 416	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	winlogon.exe
PID 1240 wrote to memory of 416	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	winlogon.exe
PID 1240 wrote to memory of 416	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	winlogon.exe
PID 1240 wrote to memory of 416	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	winlogon.exe
PID 1240 wrote to memory of 416	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	winlogon.exe
PID 1240 wrote to memory of 460	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	services.exe
PID 1240 wrote to memory of 460	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	services.exe
PID 1240 wrote to memory of 460	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	services.exe
PID 1240 wrote to memory of 460	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	services.exe
PID 1240 wrote to memory of 460	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	services.exe
PID 1240 wrote to memory of 460	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	services.exe
PID 1240 wrote to memory of 460	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	services.exe
PID 1240 wrote to memory of 476	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	lsass.exe
PID 1240 wrote to memory of 476	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	lsass.exe
PID 1240 wrote to memory of 476	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	lsass.exe
PID 1240 wrote to memory of 476	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	lsass.exe
PID 1240 wrote to memory of 476	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	lsass.exe
PID 1240 wrote to memory of 476	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	lsass.exe
PID 1240 wrote to memory of 476	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	lsass.exe
PID 1240 wrote to memory of 484	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	lsm.exe
PID 1240 wrote to memory of 484	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	lsm.exe
PID 1240 wrote to memory of 484	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	lsm.exe
PID 1240 wrote to memory of 484	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	lsm.exe
PID 1240 wrote to memory of 484	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	lsm.exe
PID 1240 wrote to memory of 484	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	lsm.exe
PID 1240 wrote to memory of 484	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	lsm.exe
PID 1240 wrote to memory of 580	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	svchost.exe
PID 1240 wrote to memory of 580	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	svchost.exe
PID 1240 wrote to memory of 580	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	svchost.exe
PID 1240 wrote to memory of 580	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	svchost.exe
PID 1240 wrote to memory of 580	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	svchost.exe
PID 1240 wrote to memory of 580	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	svchost.exe
PID 1240 wrote to memory of 580	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	svchost.exe
PID 1240 wrote to memory of 660	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	svchost.exe
PID 1240 wrote to memory of 660	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	svchost.exe
PID 1240 wrote to memory of 660	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	svchost.exe
PID 1240 wrote to memory of 660	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	svchost.exe
PID 1240 wrote to memory of 660	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	svchost.exe
PID 1240 wrote to memory of 660	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	svchost.exe
PID 1240 wrote to memory of 660	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	svchost.exe
PID 1240 wrote to memory of 736	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	svchost.exe
PID 1240 wrote to memory of 736	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	svchost.exe
PID 1240 wrote to memory of 736	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	svchost.exe
PID 1240 wrote to memory of 736	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	svchost.exe
PID 1240 wrote to memory of 736	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	svchost.exe
PID 1240 wrote to memory of 736	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	svchost.exe
PID 1240 wrote to memory of 736	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	svchost.exe
PID 1240 wrote to memory of 800	1240	0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:280

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1048

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:876

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
3⤵
PID:1852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:580

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:484

C:\Users\Admin\AppData\Local\Temp\596076891\zmstage.exe
C:\Users\Admin\AppData\Local\Temp\596076891\zmstage.exe
1⤵
PID:1704

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe
"C:\Users\Admin\AppData\Local\Temp\0c2f07cdc6867474f1449072dd553249f1ef1aa19dac2abef98ba2f4baa15250.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads